Help with virus disabling malware and virus scan

"I have problems with my personal computer, My computer started getting slow, then I tried to run a scan with my McAffe but I could not do it, I just have the message: ERROR-Starting on Demand Scanner. Then I tried to run the Malwarebytes AntiMalware and I then start and then disappear from my screen. I follow your instructions about updating Java and run the HijackThis and it just disappear from my screen too. Could you please help me out, I do not know what else to do?"

I have the exact same problem as this guy. I should also point out I usually use firefox and was using it when i got the virus, but it seems to have disabled that as well. So right now I am using Google Chrome.

Thanks for any help.

Sorry, here's a link to the thread I was quoting, in case it is any help.

http://www.geekpolice.net/virus-spyware-malware-removal-f11/error-starting-on-demand-scanner-t12398.htm

Last edited by JohnKramer on 1st November 2009, 8:09 pm; edited 1 time in total (Reason for editing : add a link)

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
scecli.dll
netlogon.dll
eventlog.dll
cngaudit.dll

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Log created at 11:49 on 03/11/2009 by Ayyub Maadani (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\I386\SCECLI.DLL --a--- 174592 bytes [15:08 14/10/2004] [04:00 29/08/2002] 97418A5C642A5C748A28BD7CF6860B57
C:\WINDOWS\$NtServicePackUninstall$\scecli.dll -----c 180224 bytes [11:11 23/08/2008] [23:56 03/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\ServicePackFiles\i386\scecli.dll ------ 181248 bytes [13:19 22/10/2004] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\SYSTEM32\scecli.dll --a--- 181248 bytes [04:00 29/08/2002] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084

Searching for "netlogon.dll"
C:\I386\NETLOGON.DLL --a--- 399360 bytes [15:07 14/10/2004] [04:00 29/08/2002] 3ADD563ED7A1C66E6F5E0F7A661AA96D
C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll -----c 407040 bytes [11:11 23/08/2008] [23:56 03/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\ServicePackFiles\i386\netlogon.dll ------ 407040 bytes [13:18 22/10/2004] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\SYSTEM32\netlogon.dll --a--- 407040 bytes [04:00 29/08/2002] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550

Searching for "eventlog.dll"
C:\I386\EVENTLOG.DLL --a--- 49152 bytes [15:04 14/10/2004] [04:00 29/08/2002] BF3C8CF53C77B48206B39910B6D6CBCC
C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll -----c 55808 bytes [11:11 23/08/2008] [23:56 03/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll ------ 56320 bytes [13:18 22/10/2004] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\SYSTEM32\eventlog.dll --a--- 61952 bytes [04:00 29/08/2002] [00:11 14/04/2008] (Unable to calculate MD5)

Searching for "cngaudit.dll"
No files found.

-=End Of File=-

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

I downloaded avenger but when I tried to extract it an alert from mcafee popped up and blocked it as a trojan?

Heres what it says :

"McAfee has automatically blocked and removed a Trojan.

About this Trojan
Detected: BackDoor-EFN (Trojan), BackDoor-EFN (Trojan)
Location: C:\Documents and Settings\Ayyub Maadani\My Documents\Downloads\avenger\avenger.exe

Trojans appear as legitimate programs but can damage valuable files, disrupt performance, and allow unauthorized access to your computer."

Ignore the warning, disable/uninstall Mcafee, it's wrong about that, false positive.

I did everything but a black command window didn't open on the desktop instead mcafee blocked it as a trojan again. Which is weird because I turned it off before...

However, the log file did show up:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\eventlog.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Malwarebytes' Anti-Malware 1.41
Database version: 3107
Windows 5.1.2600 Service Pack 3

05/11/2009 22:05:14
mbam-log-2009-11-05 (22-05-14).txt

Scan type: Quick Scan
Objects scanned: 191842
Time elapsed: 29 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TDSSserv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Ayyub Maadani\Local Settings\Temp\b.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3333968868-2200709785-3983559585-1008\Dc230.exe (Adware.Agent.N) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3333968868-2200709785-3983559585-1008\Dc241.exe (Adware.Agent.N) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-3333968868-2200709785-3983559585-1008\Dc253.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ayyub Maadani\Local Settings\Temp\c.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ayyub Maadani\Local Settings\Temp\a.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\MarioParty4-Boo.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ayyub Maadani\My Documents\downloads\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Hello.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  
• Double click DDS.scr to run.
  
• When complete, two logs will open. Save both of the report to your Desktop.
  
• Copy and paste BOTH LOGS back here, use more than one post if needed.
  

DDS (Ver_09-10-26.01) - NTFSx86
Run by Ayyub Maadani at 23:44:13.87 on 05/11/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page =
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell.co.uk/myway
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = ;*.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: UberButton Class: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\program files\yahoo!\common\YIeTagBm.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\progra~1\wanadoo\wsbar\WSBar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [Aim6]
uRun: [WinDNN] "c:\documents and settings\ayyub maadani\application data\google\klnxv19819115.exe" 2
uRun: [SB Audigy 2 Startup Menu] /L:ENG
uRun: [Google Update] "c:\documents and settings\ayyub maadani\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ares destiny] "c:\program files\ares destiny\Ares.exe" -h
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [VirusScan] c:\progra~1\mcafee.com\vso\mcvsshld.exe
mRun: [Dell Photo AIO Printer 922] "c:\program files\dell photo aio printer 922\dlbtbmgr.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
StartupFolder: c:\docume~1\ayyubm~1\startm~1\programs\startup\sdktra~1.lnk - c:\sun\sdk\jdk\bin\javaw.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Search with Wanadoo - c:\progra~1\wanadoo\wsbar\WSBar.dll/VSearch.htm
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\bluetooth\bluetooth software\btsendto_ie.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ayyubm~1\applic~1\mozilla\firefox\profiles\q4beip64.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en&btnG=Google+Search
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=59099&p=
FF - component: c:\documents and settings\ayyub maadani\application data\mozilla\firefox\profiles\q4beip64.default\extensions\{19627815-20a6-46e6-be34-a0b6967c022a}\components\Engine.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\ayyub maadani\application data\mozilla\firefox\profiles\q4beip64.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\ayyub maadani\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-11-01 18:13:09 3 ----a-w- c:\documents and settings\ayyub maadani\tray.pid
2009-11-01 17:43:20 116 ----a-w- c:\documents and settings\ayyub maadani\.asadminpass
2009-11-01 17:43:09 789 ----a-w- c:\documents and settings\ayyub maadani\.asadmintruststore
2009-11-01 17:38:11 23108 ----a-w- c:\windows\system32\productregistry
2009-11-01 17:12:03 0 dc----w- C:\Sun
2009-11-01 16:46:19 0 d-----w- c:\documents and settings\ayyub maadani\.SunDownloadManager
2009-10-30 11:15:56 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-30 11:13:08 0 d-----w- c:\documents and settings\ayyub maadani\.housecall6.6

==================== Find3M ====================

2009-09-16 09:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 09:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 09:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 09:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 09:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-10 14:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-13 15:16:05 512000 ------w- c:\windows\system32\dllcache\jscript.dll
2008-09-19 18:26:46 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091920080920\index.dat

============= FINISH: 23:45:09.51 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)


==== Disk Partitions =========================


==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

µTorrent
05
4Media PS3 Video Converter
4oD
ABBYY FineReader 5.0 Sprint Plus
Ad-Aware SE Personal
Adobe Acrobat Reader 3.01
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 9.2
Adobe Reader Japanese Fonts
Adobe Photoshop Album Starter Edition 3.0
AIM 6
Apple Mobile Device Support
Apple Software Update
ArcSoft Camera Suite 1.3
ArcSoft Collage Creator
ArcSoft Multimedia Email
ArcSoft PhotoImpression 5
ArcSoft VideoImpression 2
Ares Destiny 3.0
ATI Display Driver
AviSynth 2.5
Battlefield Heroes
BBC iPlayer Desktop
BBC iPlayer Download Manager
Bluetooth Software
Bonjour
Broadcom Advanced Control Suite 2
Camera Window
Canon Camera Window for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon PhotoRecord
Canon ScanGear Toolbox CS 2.2
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
CIG
Combined Community Codec Pack 2007-07-22
Corel Applications
Creative MediaSource
Creative WebCam Center
Creative WebCam Live! Pro Driver (1.00.06.0811)
Creative WebCam Live! Pro User's Guide (English)
Critical Update for Windows Media Player 11 (KB959772)
Dell Media Experience
Dell Photo AIO Printer 922
Dell Solution Center
Dell System Restore
DiscIndisK Vitual CD-ROM
DivX Web Player
DVD Decrypter (Remove Only)
DVD Suite
File Viewer Utility 1.2.1
First Step Guide
G4a922EN
Get Yahoo! Messenger
GOM Player
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Help and Support Customization
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotspot Shield 1.04
ImageMixer VCD2
Intel Application Accelerator
Intel(R) 537EP V9x DF PCI Modem
InterActual Player
Internet Explorer Default Page
iTunes
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java Platform, Enterprise Edition 5 SDK
Java(TM) 6 Update 10
Learn2 Player (Uninstall Only)
Lernout & Hauspie TruVoice American English TTS Engine
LG ODD Auto Firmware Update
LogMeIn
Macromedia Flash MX
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
Microsoft Works 7.0
Modem Event Monitor
Modem Helper
Modem On Hold
Monopoly Star Wars
Mozilla Firefox (3.0.15)
MSN Winks Plus
MSXML 4.0 SP2 (KB954430)
MyEmoticons
NinjaVideo Helper
Nintendo Desktop Manager
Nintendo Wi-Fi USB Connector Registration Tool
Nokia Connectivity Cable DKU-2 Drivers
osu!
PhotoStitch
Picture Package
PowerDVD
PowerProducer
PSP Video 9 5.01
PunkBuster Services
QuickTime
Rapport
Real Alternative 1.9.0
RemoteCapture 2.7.1
Rugrats Print Shop
scr_Metroidprime Screen Saver
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Skype 3.8
Sonic DLA
Sonic MyDVD
Sonic RecordNow!
Sonic Update Manager
Sony Ericsson PC Suite
Sony USB Driver
Sound Blaster Audigy 2
SpeedTouch USB Software
SuperMarioSunshine Screen Saver
The Battle for Middle-earth (tm)
The Legend of Zelda Screensaver
tunnel Screen Saver
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Veoh Web Player
Videora Nokia 5800 XpressMusic Converter 4.08
Videora Xbox 360 Converter 4.08
Viewpoint Media Player
Wanadoo Search Toolbar
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WinRAR archiver
XviD MPEG-4 Video Codec
Yahoo! extras
Yahoo! Internet Mail
Yahoo! Messenger
YouTube Downloader App 2.01

==== End Of File ===========================

• Download combofix from here
  Link 1
  Link 2
  

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

• See HERE for how to disable your AV.
  
• Double click on svchost.exe.
  
• Follow the prompts. NOTE:
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouse click combofix's window whilst it's running. That may cause it to stall.
  

ComboFix 09-11-05.05 - Ayyub Maadani 06/11/2009 16:05.1.2 - NTFSx86
Running from: c:\documents and settings\Ayyub Maadani\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ayyub Maadani\Desktop\[Torrentsworld.net] - No More Heroes Original Sound Tracks (vgmTorrents net).torrent
c:\documents and settings\Ayyub Maadani\Desktop\[Torrentsworld.net] - No More Heroes Original Sound Tracks (vgmTorrents net).torrent
c:\windows\run.log
c:\windows\system32\install.exe
c:\windows\system32\logs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.

2009-11-01 17:12 . 2009-11-01 17:12 -------- dc----w- C:\Sun
2009-11-01 16:46 . 2009-11-01 17:40 -------- d-----w- c:\documents and settings\Ayyub Maadani\.SunDownloadManager
2009-10-30 11:15 . 2009-10-30 11:13 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-30 11:13 . 2009-10-30 11:16 -------- d-----w- c:\documents and settings\Ayyub Maadani\.housecall6.6
2009-10-17 18:26 . 2009-10-17 18:26 -------- d-----w- c:\documents and settings\Ibrahim Maadani\Application Data\Trusteer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 16:46 . 2008-01-26 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-11-06 16:33 . 2007-11-07 18:30 -------- d-----w- c:\program files\lg_fwupdate
2009-11-06 16:30 . 2004-09-30 19:49 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000000-00001102-00000004-10031102}.dat
2009-11-06 16:30 . 2004-09-30 19:49 288 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000000-00001102-00000004-10031102}.dat
2009-11-06 15:43 . 2007-01-13 11:52 -------- d-----w- c:\program files\McAfee
2009-11-05 21:32 . 2008-09-19 18:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 19:42 . 2004-11-07 08:33 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-01 17:53 . 2004-09-30 19:36 -------- d-----w- c:\program files\Java
2009-10-17 18:55 . 2004-10-14 19:29 86352 ----a-w- c:\documents and settings\Ibrahim Maadani\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-29 19:03 . 2009-09-29 16:03 -------- d-----w- c:\program files\HandBrake
2009-09-29 16:12 . 2009-09-29 16:12 -------- d-----w- c:\documents and settings\Ayyub Maadani\Application Data\HandBrake
2009-09-29 15:45 . 2009-07-06 18:49 -------- d-----w- c:\documents and settings\Ayyub Maadani\Application Data\Red Kawa
2009-09-29 09:58 . 2009-09-29 09:58 -------- d-----w- c:\program files\Regensoft
2009-09-16 09:22 . 2007-01-13 11:53 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 09:22 . 2007-01-13 11:53 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 09:22 . 2007-01-13 11:53 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 09:22 . 2007-01-13 11:53 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 09:22 . 2007-01-13 11:53 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-15 08:54 . 2004-11-05 09:51 86352 ----a-w- c:\documents and settings\Sandra Maadani\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-15 08:53 . 2009-09-15 08:53 -------- d-----w- c:\documents and settings\Sandra Maadani\Application Data\Trusteer
2009-09-15 08:19 . 2009-09-15 08:19 -------- d-----w- c:\documents and settings\NetworkService\Application Data\McAfee
2009-09-14 19:33 . 2007-01-13 11:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-14 12:05 . 2008-07-22 11:39 -------- d-----w- c:\documents and settings\Ayyub Maadani\Application Data\Skype
2009-09-14 11:52 . 2006-12-25 11:40 -------- d-----w- c:\program files\Windows Media Connect 2
2009-09-14 10:06 . 2008-07-22 11:42 -------- d-----w- c:\documents and settings\Ayyub Maadani\Application Data\skypePM
2009-09-10 14:54 . 2008-09-19 18:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 . 2008-09-19 18:26 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-01 20:21 . 2009-09-01 20:20 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-08-18 21:40 . 2004-10-18 19:35 86352 ----a-w- c:\documents and settings\Ayyub Maadani\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-03 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SB Audigy 2 Startup Menu"="/L:ENG" [X]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-11-27 1032376]
"Google Update"="c:\documents and settings\Ayyub Maadani\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-14 133104]
"ares destiny"="c:\program files\Ares Destiny\Ares.exe" [2007-08-07 2970112]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-26 136600]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 290816]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2007-11-07 249856]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-07 1176808]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-11-27 1032376]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"combofix"="c:\combofix\CF14212.exe" [2009-11-06 389120]
"CTHelper"="CTHELPER.EXE" - c:\windows\SYSTEM32\CTHELPER.EXE [2003-02-20 28672]
"AsioReg"="CTASIO.DLL" - c:\windows\SYSTEM32\CTASIO.DLL [2003-02-20 110592]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\SYSTEM32\bthprops.cpl [2008-04-14 110592]

c:\documents and settings\Ayyub Maadani\Start Menu\Programs\Startup\
SDK Tray Menu.lnk - c:\sun\SDK\jdk\bin\javaw.exe [2009-11-1 139264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-05-25 14:22 63040 ----a-w- c:\windows\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Nintendo Wi-Fi USB Connector Registration Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk
backup=c:\windows\pss\Run Nintendo Wi-Fi USB Connector Registration Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Registration Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Registration Tool.lnk
backup=c:\windows\pss\Run Registration Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ayyub Maadani^Start Menu^Programs^Startup^BBC iPlayer Desktop.lnk]
path=c:\documents and settings\Ayyub Maadani\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk
backup=c:\windows\pss\BBC iPlayer Desktop.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Ayyub Maadani^Start Menu^Programs^Startup^DiscinDisK.lnk]
path=c:\documents and settings\Ayyub Maadani\Start Menu\Programs\Startup\DiscinDisK.lnk
backup=c:\windows\pss\DiscinDisK.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Ayyub Maadani^Start Menu^Programs^Startup^Wallpaper Changer.lnk]
path=c:\documents and settings\Ayyub Maadani\Start Menu\Programs\Startup\Wallpaper Changer.lnk
backup=c:\windows\pss\Wallpaper Changer.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Ayyub Maadani^Start Menu^Programs^Startup^wpc.lnk]
path=c:\documents and settings\Ayyub Maadani\Start Menu\Programs\Startup\wpc.lnk
backup=c:\windows\pss\wpc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Internet Explorer\\iexplore.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"c:\\Program Files\\Ares Destiny\\Ares.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\SYSTEM32\\rtcshare.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 0160741257500966mcinstcleanup;McAfee Application Installer Cleanup (0160741257500966);c:\windows\TEMP\016074~1.EXE [x]
R3 EMSLink;EMS Inter-Link driver V3.0;c:\windows\system32\Drivers\EM3Link.sys [2006-12-02 9744]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2009-08-18 58728]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2009-08-18 333928]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2007-04-17 12992]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-04-05 46112]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-09-16 92296]
S2 NinjaVideo Helper.exe;NinjaVideo Helper;c:\program files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe [2008-04-10 110592]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2009-08-18 955624]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 CDCCG;Machoman V-CD 0.53!machoman China;c:\windows\system32\Drivers\cdg.sys [2002-01-08 26640]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0160741257500966MCINSTCLEANUP
*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3333968868-2200709785-3983559585-1008Core.job
- c:\documents and settings\Ayyub Maadani\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-14 10:22]

2009-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3333968868-2200709785-3983559585-1008UA.job
- c:\documents and settings\Ayyub Maadani\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-14 10:22]

2004-10-14 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

2008-07-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-13 11:22]

2009-09-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-13 11:22]
.
.
------- Supplementary Scan -------
.
uStart Page =
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell.co.uk/myway
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = ;*.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Search with Wanadoo - c:\progra~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
FF - ProfilePath - c:\documents and settings\Ayyub Maadani\Application Data\Mozilla\Firefox\Profiles\q4beip64.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en&btnG=Google+Search
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=59099&p=
FF - component: c:\documents and settings\Ayyub Maadani\Application Data\Mozilla\Firefox\Profiles\q4beip64.default\extensions\{19627815-20a6-46e6-be34-a0b6967c022a}\components\Engine.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Ayyub Maadani\Application Data\Mozilla\Firefox\Profiles\q4beip64.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\Ayyub Maadani\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-WinDNN - c:\documents and settings\Ayyub Maadani\Application Data\Google\klnxv19819115.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-VirusScan - c:\progra~1\mcafee.com\vso\mcvsshld.exe
AddRemove-HijackThis - c:\documents and settings\Ayyub Maadani\My Documents\Downloads\HijackThis.exe
AddRemove-MyEmo - c:\program files\MyEmoticons\uninstall.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 16:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys spyo.sys hal.dll >>UNKNOWN [0x87386938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

iaStor.sys @ 0x0 0x0 bytes

\Driver\iaStor [ IRP_MJ_CREATE ] 0xF094 != 0xF74A9240 iaStor.sys
\Driver\iaStor [ IRP_MJ_CLOSE ] 0xF094 != 0xF74A9240 iaStor.sys
\Driver\iaStor [ IRP_MJ_DEVICE_CONTROL ] 0x127E8 != 0xF74A9240 iaStor.sys
\Driver\iaStor [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x12AA8 != 0xF74A9240 iaStor.sys
\Driver\iaStor [ IRP_MJ_POWER ] 0x17118 != 0xF74A9240 iaStor.sys
\Driver\iaStor [ IRP_MJ_SYSTEM_CONTROL ] 0x171A4 != 0xF74A9240 iaStor.sys
\Driver\iaStor IRP hooks detected !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Bluetooth\Bluetooth Software\bin\btwdins.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\rundll32.exe
c:\program files\Dell Photo AIO Printer 922\dlbtbmon.exe
c:\documents and settings\Ayyub Maadani\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\McAfee\MPF\MPFSrv.exe
.
**************************************************************************
.
Completion time: 2009-11-06 16:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-06 16:52

Pre-Run: 121,475,334,144 bytes free
Post-Run: 122,307,010,560 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 9FE84045755CA4464A1E8BF935FD54FB

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
scecli.dll
netlogon.dll
eventlog.dll
cngaudit.dll

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 21:32 on 07/11/2009 by Ayyub Maadani (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\I386\SCECLI.DLL --a--- 174592 bytes [15:08 14/10/2004] [04:00 29/08/2002] 97418A5C642A5C748A28BD7CF6860B57
C:\WINDOWS\$NtServicePackUninstall$\scecli.dll -----c 180224 bytes [11:11 23/08/2008] [23:56 03/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\ERDNT\cache\scecli.dll --a--- 181248 bytes [16:49 06/11/2009] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\ServicePackFiles\i386\scecli.dll ------ 181248 bytes [13:19 22/10/2004] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\SYSTEM32\scecli.dll ------ 181248 bytes [04:00 29/08/2002] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084

Searching for "netlogon.dll"
C:\I386\NETLOGON.DLL --a--- 399360 bytes [15:07 14/10/2004] [04:00 29/08/2002] 3ADD563ED7A1C66E6F5E0F7A661AA96D
C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll -----c 407040 bytes [11:11 23/08/2008] [23:56 03/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\ERDNT\cache\netlogon.dll --a--- 407040 bytes [16:49 06/11/2009] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\ServicePackFiles\i386\netlogon.dll ------ 407040 bytes [13:18 22/10/2004] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\SYSTEM32\netlogon.dll ------ 407040 bytes [04:00 29/08/2002] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550

Searching for "eventlog.dll"
C:\I386\EVENTLOG.DLL --a--- 49152 bytes [15:04 14/10/2004] [04:00 29/08/2002] BF3C8CF53C77B48206B39910B6D6CBCC
C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll -----c 55808 bytes [11:11 23/08/2008] [23:56 03/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll ------ 56320 bytes [13:18 22/10/2004] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656

Searching for "cngaudit.dll"
No files found.

-=End Of File=-

ComboFix 09-11-08.03 - Ayyub Maadani 09/11/2009 10:35.2.2 - NTFSx86
Running from: c:\documents and settings\Ayyub Maadani\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ayyub Maadani\Desktop\CFscript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 )))))))))))))))))))))))))))))))
.

2009-11-09 10:35 . 2004-08-03 23:56 55808 ----a-w- c:\windows\system32\eventlog.dll
2009-11-09 10:35 . 2004-08-03 23:56 55808 ----a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-01 17:12 . 2009-11-01 17:12 -------- dc----w- C:\Sun
2009-11-01 16:46 . 2009-11-01 17:40 -------- d-----w- c:\documents and settings\Ayyub Maadani\.SunDownloadManager
2009-10-30 11:15 . 2009-10-30 11:13 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-30 11:13 . 2009-10-30 11:16 -------- d-----w- c:\documents and settings\Ayyub Maadani\.housecall6.6
2009-10-17 18:26 . 2009-10-17 18:26 -------- d-----w- c:\documents and settings\Ibrahim Maadani\Application Data\Trusteer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-09 11:17 . 2008-01-26 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-11-09 11:04 . 2007-11-07 18:30 -------- d-----w- c:\program files\lg_fwupdate
2009-11-09 10:57 . 2004-09-30 19:49 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000000-00001102-00000004-10031102}.dat
2009-11-09 10:57 . 2004-09-30 19:49 288 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000000-00001102-00000004-10031102}.dat
2009-11-09 10:04 . 2007-01-13 11:52 -------- d-----w- c:\program files\McAfee
2009-11-05 21:32 . 2008-09-19 18:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-01 19:42 . 2004-11-07 08:33 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-01 17:53 . 2004-09-30 19:36 -------- d-----w- c:\program files\Java
2009-10-17 18:55 . 2004-10-14 19:29 86352 ----a-w- c:\documents and settings\Ibrahim Maadani\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-29 19:03 . 2009-09-29 16:03 -------- d-----w- c:\program files\HandBrake
2009-09-29 16:12 . 2009-09-29 16:12 -------- d-----w- c:\documents and settings\Ayyub Maadani\Application Data\HandBrake
2009-09-29 15:45 . 2009-07-06 18:49 -------- d-----w- c:\documents and settings\Ayyub Maadani\Application Data\Red Kawa
2009-09-29 09:58 . 2009-09-29 09:58 -------- d-----w- c:\program files\Regensoft
2009-09-16 09:22 . 2007-01-13 11:53 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 09:22 . 2007-01-13 11:53 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 09:22 . 2007-01-13 11:53 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 09:22 . 2007-01-13 11:53 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 09:22 . 2007-01-13 11:53 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-15 08:54 . 2004-11-05 09:51 86352 ----a-w- c:\documents and settings\Sandra Maadani\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-15 08:53 . 2009-09-15 08:53 -------- d-----w- c:\documents and settings\Sandra Maadani\Application Data\Trusteer
2009-09-15 08:19 . 2009-09-15 08:19 -------- d-----w- c:\documents and settings\NetworkService\Application Data\McAfee
2009-09-14 19:33 . 2007-01-13 11:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-14 12:05 . 2008-07-22 11:39 -------- d-----w- c:\documents and settings\Ayyub Maadani\Application Data\Skype
2009-09-14 11:52 . 2006-12-25 11:40 -------- d-----w- c:\program files\Windows Media Connect 2
2009-09-14 10:06 . 2008-07-22 11:42 -------- d-----w- c:\documents and settings\Ayyub Maadani\Application Data\skypePM
2009-09-10 14:54 . 2008-09-19 18:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 . 2008-09-19 18:26 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-01 20:21 . 2009-09-01 20:20 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-08-18 21:40 . 2004-10-18 19:35 86352 ----a-w- c:\documents and settings\Ayyub Maadani\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-11-06_16.33.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-09 10:58 . 2009-11-09 10:58 16384 c:\windows\Temp\Perflib_Perfdata_5f4.dat
+ 2009-11-09 10:58 . 2009-11-09 10:58 16384 c:\windows\Temp\Perflib_Perfdata_5e4.dat
+ 2002-09-03 01:08 . 2009-11-09 10:08 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2002-09-03 01:08 . 2009-11-06 15:42 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2009-11-06 19:57 . 2009-11-09 10:08 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2002-09-03 01:08 . 2009-11-06 15:42 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SB Audigy 2 Startup Menu"="/L:ENG" [X]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-11-27 1032376]
"Google Update"="c:\documents and settings\Ayyub Maadani\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-14 133104]
"ares destiny"="c:\program files\Ares Destiny\Ares.exe" [2007-08-07 2970112]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-26 136600]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 290816]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2007-11-07 249856]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-07 1176808]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-11-27 1032376]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"CTHelper"="CTHELPER.EXE" - c:\windows\SYSTEM32\CTHELPER.EXE [2003-02-20 28672]
"AsioReg"="CTASIO.DLL" - c:\windows\SYSTEM32\CTASIO.DLL [2003-02-20 110592]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\SYSTEM32\bthprops.cpl [2008-04-14 110592]

c:\documents and settings\Ayyub Maadani\Start Menu\Programs\Startup\
SDK Tray Menu.lnk - c:\sun\SDK\jdk\bin\javaw.exe [2009-11-1 139264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-05-25 14:22 63040 ----a-w- c:\windows\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Nintendo Wi-Fi USB Connector Registration Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Nintendo Wi-Fi USB Connector Registration Tool.lnk
backup=c:\windows\pss\Run Nintendo Wi-Fi USB Connector Registration Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Registration Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Registration Tool.lnk
backup=c:\windows\pss\Run Registration Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ayyub Maadani^Start Menu^Programs^Startup^BBC iPlayer Desktop.lnk]
path=c:\documents and settings\Ayyub Maadani\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk
backup=c:\windows\pss\BBC iPlayer Desktop.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Ayyub Maadani^Start Menu^Programs^Startup^DiscinDisK.lnk]
path=c:\documents and settings\Ayyub Maadani\Start Menu\Programs\Startup\DiscinDisK.lnk
backup=c:\windows\pss\DiscinDisK.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Ayyub Maadani^Start Menu^Programs^Startup^Wallpaper Changer.lnk]
path=c:\documents and settings\Ayyub Maadani\Start Menu\Programs\Startup\Wallpaper Changer.lnk
backup=c:\windows\pss\Wallpaper Changer.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Ayyub Maadani^Start Menu^Programs^Startup^wpc.lnk]
path=c:\documents and settings\Ayyub Maadani\Start Menu\Programs\Startup\wpc.lnk
backup=c:\windows\pss\wpc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"c:\\Program Files\\Ares Destiny\\Ares.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\SYSTEM32\\rtcshare.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 0134541257761057mcinstcleanup;McAfee Application Installer Cleanup (0134541257761057);c:\windows\TEMP\013454~1.EXE [x]
R3 EMSLink;EMS Inter-Link driver V3.0;c:\windows\system32\Drivers\EM3Link.sys [2006-12-02 9744]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2009-08-18 58728]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2009-08-18 333928]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2007-04-17 12992]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-04-05 46112]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-09-16 92296]
S2 NinjaVideo Helper.exe;NinjaVideo Helper;c:\program files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe [2008-04-10 110592]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2009-08-18 955624]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 CDCCG;Machoman V-CD 0.53!machoman China;c:\windows\system32\Drivers\cdg.sys [2002-01-08 26640]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0134541257761057MCINSTCLEANUP
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3333968868-2200709785-3983559585-1008Core.job
- c:\documents and settings\Ayyub Maadani\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-14 10:22]

2009-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3333968868-2200709785-3983559585-1008UA.job
- c:\documents and settings\Ayyub Maadani\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-14 10:22]

2004-10-14 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

2008-07-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-13 11:22]

2009-09-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-01-13 11:22]
.
.
------- Supplementary Scan -------
.
uStart Page =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = ;*.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Search with Wanadoo - c:\progra~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
FF - ProfilePath - c:\documents and settings\Ayyub Maadani\Application Data\Mozilla\Firefox\Profiles\q4beip64.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en&btnG=Google+Search
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=59099&p=
FF - component: c:\documents and settings\Ayyub Maadani\Application Data\Mozilla\Firefox\Profiles\q4beip64.default\extensions\{19627815-20a6-46e6-be34-a0b6967c022a}\components\Engine.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Ayyub Maadani\Application Data\Mozilla\Firefox\Profiles\q4beip64.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\Ayyub Maadani\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-09 11:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys spbm.sys hal.dll >>UNKNOWN [0x87386938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

iaStor.sys @ 0x0 0x0 bytes

\Driver\iaStor [ IRP_MJ_CREATE ] 0xF094 != 0xF74A9240 iaStor.sys
\Driver\iaStor [ IRP_MJ_CLOSE ] 0xF094 != 0xF74A9240 iaStor.sys
\Driver\iaStor [ IRP_MJ_DEVICE_CONTROL ] 0x127E8 != 0xF74A9240 iaStor.sys
\Driver\iaStor [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x12AA8 != 0xF74A9240 iaStor.sys
\Driver\iaStor [ IRP_MJ_POWER ] 0x17118 != 0xF74A9240 iaStor.sys
\Driver\iaStor [ IRP_MJ_SYSTEM_CONTROL ] 0x171A4 != 0xF74A9240 iaStor.sys
\Driver\iaStor IRP hooks detected !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(5052)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Bluetooth\Bluetooth Software\bin\btwdins.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\rundll32.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\rundll32.exe
c:\program files\Dell Photo AIO Printer 922\dlbtbmon.exe
c:\documents and settings\Ayyub Maadani\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
.
**************************************************************************
.
Completion time: 2009-11-09 11:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-09 11:22
ComboFix2.txt 2009-11-06 16:52

Pre-Run: 122,053,271,552 bytes free
Post-Run: 122,030,059,520 bytes free

- - End Of File - - 330A92F90E02732F3822F3C17F8B6120

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

My computer has sped up and so is Firefox and Anti-Malware. However McAfee still comes up with the same error message and still won't scan.

"Scanning has encountered a problem from which it cannot recover. here are the problems details: - Error starting on demand scanner"

God this infection is annoying, it likes to leave it marks, guess we need to shift that too.

Please download this file.

• Please download Junction.zip and save it.
  
• Unzip it and put junction.exe in the Windows directory (C:\Windows).
  
• Go to Start => Run... => Copy and paste the following command in the run box and click OK:
  
  cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
  
  
• A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.
  

Gah, I meant to say both Firefox and Anti-Malware are working last time. I suck at typing see.


Junction v1.05 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

.
Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp: Access is denied.


..

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\Program Files\Java\jre6\bin\java.exe: Access is denied.




...

...

.
Failed to open \\?\c:\\Program Files\McAfee\VirusScan\mcods.exe: Access is denied.


..

...

...

...

...

...

...

...

...

...

...

...

..\\?\c:\\WINDOWS\$hf_mig$\KB943460\KB943460: MOUNT POINT
Substitute Name: \Device\__max++>\^

.

\\?\c:\\WINDOWS\$hf_mig$\KB969059\KB969059: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\$hf_mig$\KB971486\KB971486: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\$hf_mig$\KB973525\KB973525: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\$hf_mig$\KB974112\KB974112: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\$hf_mig$\KB974455-IE7\KB974455-IE7: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\$hf_mig$\KB974571\KB974571: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\$hf_mig$\KB975025\KB975025: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\$hf_mig$\KB975467\KB975467: MOUNT POINT
Substitute Name: \Device\__max++>\^

..

...

...

.\\?\c:\\WINDOWS\A4W_DATA\A4W_DATA: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

.\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1F9.tmp\ZAP1F9.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3A4.tmp\ZAP3A4.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP48C.tmp\ZAP48C.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4AC.tmp\ZAP4AC.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\temp\temp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\tmp\tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Cache\Adobe Reader 6.0\Adobe Reader 6.0: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Config\Config: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Connection Wizard\Connection Wizard: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\Debug\UserMode\UserMode: MOUNT POINT
Substitute Name: \Device\__max++>\^



\\?\c:\\WINDOWS\ftpcache\ftpcache: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave: MOUNT POINT
Substitute Name: \Device\__max++>\^

.

.\\?\c:\\WINDOWS\IME\IMEJP\APPLETS\APPLETS: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\IME\IMEJP98\IMEJP98: MOUNT POINT
Substitute Name: \Device\__max++>\^

..

...

\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\MSAPPS\MSINFO\MSINFO: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\msdownld.tmp\msdownld.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\MUI\MUI: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\New Folder\New Folder: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs: MOUNT POINT
Substitute Name: \Device\__max++>\^



\\?\c:\\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\PCHealth\HelpCtr\Temp\Temp: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\Registration\CRMLog\CRMLog: MOUNT POINT
Substitute Name: \Device\__max++>\^

.

...

\\?\c:\\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\Download\37f6297b42610206c3fdeaf1ae71345e\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^


Failed to open \\?\c:\\WINDOWS\SoftwareDistribution\Download\37f6297b42610206c3fdeaf1ae71345e\update\update.exe: Access is denied.



Failed to open \\?\c:\\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\update\update.exe: Access is denied.


\\?\c:\\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^


Failed to open \\?\c:\\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\update\update.exe: Access is denied.



Failed to open \\?\c:\\WINDOWS\SoftwareDistribution\Download\71668abe67b6d77ebac6750f25908a6e\update\update.exe: Access is denied.


\\?\c:\\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^


Failed to open \\?\c:\\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\update\update.exe: Access is denied.



Failed to open \\?\c:\\WINDOWS\SoftwareDistribution\Download\8fa1ad7968e63408057364ad07aa482c\update\update.exe: Access is denied.


\\?\c:\\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^


Failed to open \\?\c:\\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\update\update.exe: Access is denied.


\\?\c:\\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^


Failed to open \\?\c:\\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\update\update.exe: Access is denied.


.
Failed to open \\?\c:\\WINDOWS\SoftwareDistribution\Download\e15760431e46367ca5a3dfd40a9d03e3\update\update.exe: Access is denied.



Failed to open \\?\c:\\WINDOWS\SoftwareDistribution\Download\fbdd9f75315c1cf9ff63f37aaca267d3\update\update.exe: Access is denied.


.\\?\c:\\WINDOWS\STPV temp\STPV temp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Sun\Java\Deployment\Deployment: MOUNT POINT
Substitute Name: \Device\__max++>\^

.

.
Failed to open \\?\c:\\WINDOWS\SYSTEM32\MRT.exe: Access is denied.


..

...

...

...
Failed to open \\?\c:\\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe: Access is denied.


\\?\c:\\WINDOWS\WinSxS\InstallTemp\InstallTemp: MOUNT POINT
Substitute Name: \Device\__max++>\^

Please download this file.

Like you did with juntion.exe, place inherit.exe into the Windows folder.

Now open a new notepad file.
Input this into the notepad file:

@echo off
"inherit.exe" "c:\Program Files\McAfee\VirusScan\mcods.exe"
"inherit.exe" "c:\Program Files\Java\jre6\bin\java.exe"
"inherit.exe" "c:\WINDOWS\SYSTEM32\MRT.exe"
exit

Save this as fix.bat, save it to your desktop.

Let it run until it says OK on each one.

Ok, I've done that. Is there anything else?

Nope, that should be it. Does Mcafee work now?

Yes, it seems to be working fine.

Thanks so much. I've already recommended you guys to my friends

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.